google / gvisor

Application Kernel for Containers
https://gvisor.dev
Apache License 2.0
15.85k stars 1.3k forks source link

/proc/sys/net/core/rmem_default is visible in non-root network namespaces in recent Linux kernels #10704

Closed EtiennePerot closed 3 months ago

EtiennePerot commented 3 months ago

Description

Linux appears to now expose /proc/sys/net/core/rmem_default to network namespaces that aren't the root network namespace.

I didn't fully bisect, but here's the behavior on my Linux 6.6 machine:

# stat /proc/sys/net/core/rmem_default
<works>
# ip netns add foo && ip netns exec foo stat /proc/sys/net/core/rmem_default
stat: cannot statx '/proc/sys/net/core/rmem_default': No such file or directory

On my Linux 6.11 machine:

# ip netns add foo && ip netns exec foo stat /proc/sys/net/core/rmem_default
  File: /proc/sys/net/core/rmem_default
[...]

This breaks an assumption in isRootNS and therefore breaks sandboxes using Netstack in recent kernels.

https://github.com/google/gvisor/blob/7d35643f0939d87999fe53b1b73929f5d996b08c/runsc/sandbox/network.go#L106-L118

https://github.com/google/gvisor/blob/7d35643f0939d87999fe53b1b73929f5d996b08c/runsc/sandbox/network.go#L154-L160

Steps to reproduce

runsc do echo hi on a fresh Linux kernel:

starting container: setting up network: creating interfaces from net namespace "/proc/42845/ns/net":
  cannot run with network enabled in root network namespace

runsc version

master branch

docker version (if using docker)

Irrelevant

uname

6.11.0-rc1+

kubectl (if using Kubernetes)

N/A

repo state (if built from source)

master

runsc debug logs (if available)

No response

ayushr2 commented 3 months ago

https://github.com/torvalds/linux/commit/19249c0724f2048ab68179eac69004947b07d431